NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
GUIDELINES ON SECURING PUBLIC WEB SERVERS<br />
4. <strong>Securing</strong> the <strong>Web</strong> Server Operating System<br />
Protecting a <strong>Web</strong> server from compromise involves hardening the underlying OS, the <strong>Web</strong> server<br />
applicati<strong>on</strong>, and the network to prevent malicious entities from directly attacking the <strong>Web</strong> server. The<br />
first step in securing a <strong>Web</strong> server, hardening the underlying OS, is discussed at length in this secti<strong>on</strong>.<br />
(<strong>Securing</strong> the <strong>Web</strong> server applicati<strong>on</strong> and the network are addressed in Secti<strong>on</strong>s 5 and 8, respectively.)<br />
All comm<strong>on</strong>ly available <strong>Web</strong> servers operate <strong>on</strong> a general-purpose OS. Many security issues can be<br />
avoided if the OSs underlying the <strong>Web</strong> servers are c<strong>on</strong>figured appropriately. Default hardware and<br />
software c<strong>on</strong>figurati<strong>on</strong>s are typically set by manufacturers to emphasize features, functi<strong>on</strong>s, and ease of<br />
use, at the expense of security. Because manufacturers are unaware of each organizati<strong>on</strong>’s security needs,<br />
each <strong>Web</strong> server administrator must c<strong>on</strong>figure new servers to reflect their organizati<strong>on</strong>’s security<br />
requirements and rec<strong>on</strong>figure them as those requirements change. The practices recommended here are<br />
designed to help <strong>Web</strong> server administrators c<strong>on</strong>figure and deploy <strong>Web</strong> servers that satisfy their<br />
organizati<strong>on</strong>s’ security requirements. <strong>Web</strong> server administrators managing existing <strong>Web</strong> servers should<br />
c<strong>on</strong>firm that their systems address the issues discussed.<br />
The techniques for hardening different OSs vary greatly; therefore, this secti<strong>on</strong> includes the generic<br />
procedures comm<strong>on</strong> in securing most OSs. Security c<strong>on</strong>figurati<strong>on</strong> guides and checklists for many OSs<br />
are publicly available; these documents typically c<strong>on</strong>tain recommendati<strong>on</strong>s for settings that improve the<br />
default level of security, and they may also c<strong>on</strong>tain step-by-step instructi<strong>on</strong>s for securing systems. 16 In<br />
additi<strong>on</strong>, many organizati<strong>on</strong>s maintain their own guidelines specific to their requirements. Some<br />
automated tools also exist for hardening OSs, and their use is str<strong>on</strong>gly recommended (see Appendix D).<br />
Five basic steps are necessary to maintain basic OS security:<br />
Planning the installati<strong>on</strong> and deployment of the host OS and other comp<strong>on</strong>ents for the <strong>Web</strong> server<br />
Patching and updating the host OS as required<br />
Hardening and c<strong>on</strong>figuring the host OS to address security adequately<br />
Installing and c<strong>on</strong>figuring additi<strong>on</strong>al security c<strong>on</strong>trols, if needed<br />
Testing the host OS to ensure that the previous four steps adequately addressed all security issues.<br />
The first step is discussed in Secti<strong>on</strong> 3. The other steps are covered in Secti<strong>on</strong>s 4.1 and 4.2.<br />
4.1 Installing and C<strong>on</strong>figuring the Operating System<br />
This secti<strong>on</strong> provides an overview of the sec<strong>on</strong>d, third, and fourth steps in the list above. The combined<br />
result of these steps should be a reas<strong>on</strong>able level of protecti<strong>on</strong> for the <strong>Web</strong> server’s OS.<br />
4.1.1 Patch and Upgrade Operating System<br />
Once an OS is installed, applying needed patches or upgrades to correct for known vulnerabilities is<br />
essential. Any known vulnerabilities an OS has should be corrected before using it to host a <strong>Web</strong> server<br />
16<br />
Checklists and implementati<strong>on</strong> guides for various operating systems and applicati<strong>on</strong>s are available from <str<strong>on</strong>g>NIST</str<strong>on</strong>g> at<br />
http://checklists.nist.gov/. Also, see <str<strong>on</strong>g>NIST</str<strong>on</strong>g> SP <str<strong>on</strong>g>800</str<strong>on</strong>g>-70, Security C<strong>on</strong>figurati<strong>on</strong> Checklists Program for IT Products, available<br />
at the same <strong>Web</strong> site, for general informati<strong>on</strong> about <str<strong>on</strong>g>NIST</str<strong>on</strong>g>’s checklists program.<br />
4-1